Professional Documents
Culture Documents
Objective
In this exercise, you will install and configure a Cisco Secure Access Control Server (ACS) 4.1 on Windows 2000 to provide centralized authentication services to Cisco IOS devices. You will take a tour of the interface and features of Cisco Secure ACS, and configure the switch to offload all authentication tasks to the configured ACS server. You will install the ACS server to the lab server system, which is the only network end-system used in this exercise. You will also configure a Cisco Catalyst switch to use authentication, authorization, and accounting (AAA) services to authenticate network administrators and LAN users.
Command List
Use the following commands to complete this exercise:
Command aaa authentication enable default method1 [method2...] aaa authentication login {default | listname} method1 [method2...] aaa new-model login authentication {default | list-name} tacacs-server host hostname [key string] username name [nopassword | password [encryption-type] password] aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius Description Determines if a user can access the privileged command level Enables AAA authentication at login Enables the AAA access control model Enables AAA authentication for logins Specifies a TACACS+ host Establishes a username-based authentication system at login Creates an IEEE 802.1x authentication method list Configures the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment Enables AAA accounting and creates method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions; sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process Specifies the IP address of a RADIUS server host Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon Enables IEEE 802.1x authentication globally on the switch Enables manual control of the authorization state of the port, and causes the port to change to the authorized or unauthorized state based on the IEEE 802.1x authentication exchange between the switch and the client Sets various timeouts Enables periodic reauthentication of the client Specifies an active VLAN as an IEEE 802.1x guest VLAN Allow multiple hosts (clients) on an IEEE 802.1x-authorized port Specifies an active VLAN as an IEEE 802.1x restricted VLAN Shows details for an identity profile Displays major events in the 802.1x authentication process
dot1x timeout {tx-period | supp-timeout | ...} seconds dot1x reauthentication dot1x guest-vlan vlan-id dot1x host-mode multi-host dot1x auth-fail vlan vlan-id show dot1x [all | interface] debug dot1x events
Detailed Instructions
Follow the steps described in the tasks to complete the exercise.
Using terminal services, log in to the AAA Server using the credentials listed in the User Credentials Information section. Open the Cisco Secure ACS Install folder on your desktop. Start the installation process by executing the Setup.exe file in the folder. Click OK if you are warned about memory requirements. The ACS will function normally on the lab platform. Click Accept to acknowledge the terms of the Cisco Secure ACS license agreement. Click Next in the Welcome window. Select all items listed in the Before You Begin window and click Next.
Step 2
Step 3
Step 4
Step 5 Step 6
Click Next to accept the default settings in the Choose Destination Location window.
Select the Also check the Windows User Database radio box in the Authentication Database Configuration window. Select the Yes, refer to Grant dial-in permission to user setting check box in the Authentication Database Configuration window and click Next.
Step 9
Step 10
Check all boxes within the Advanced Options window and click Next.
Accept the default settings within the Active Service Monitoring window by clicking Next. Enter any password to protect the Cisco Secure ACS database and click Next. Finally, click Next to complete the installation and start the Cisco Secure ACS services and Cisco Secure ACS administrator.
Step 12 Step 13
Verification
Step 15
After Cisco Secure ACS has been installed, its user interface should start automatically. The installation also creates an ACS Admin icon on the desktop of the AAA Server. You may click on the icon to access the ACS administration and configuration interface. A web-based ACS interface will appear in the browser.
If the Cisco Secure ACS user interface appears after installation, and contains the elements as seen in Figure 6, the installation of Cisco Secure ACS has been successful.
On the AAA Server, in the Cisco Secure ACS administration, scroll down to see the details about the software. Q1: What is the full release version and build number? _________________________________________________________________ _________________________________________________________________
Step 17
Examine the user setup functions by selecting User Setup in the left frame and clicking the List All Users button. Q2: How many users are configured? _________________________________________________________________ _________________________________________________________________
Step 18
Examine the group setup functions by selecting Group Setup in the left frame. Q3: What group is shown in the Group scroll list? __________________________________________________________________ __________________________________________________________________
Step 19
Click on the Users in Group button. Q4: How many users are in the group? __________________________________________________________________ __________________________________________________________________
Step 20
Examine the system configuration functions by selecting System Configuration in the left frame and selecting Service Control. Q5: What is the status of the Cisco Secure service, level of detail for logging, and frequency of new file generation? __________________________________________________________________ __________________________________________________________________
Step 21
Click Cancel to return to the previous menu and select Logging. Q6: What log targets are enabled? __________________________________________________________________ __________________________________________________________________
Step 22
Click Cancel to return to the previous menu and select Local Password Management. Q7: What is the purpose of the password validation option? __________________________________________________________________ __________________________________________________________________
Step 23
Click Cancel to return to the previous menu and select Cisco Secure Database Replication. Q8: What is the purpose of the Cisco Secure Replication Setup? __________________________________________________________________ __________________________________________________________________
Step 24
Click Cancel to return to the previous menu and select ACS Backup. Q9: Where can the ACS user and group databases be backed up? __________________________________________________________________ __________________________________________________________________
Step 25
Click Cancel to return to the previous menu and select ACS Restore. Q10: What components can be backed up and restored? __________________________________________________________________ __________________________________________________________________
Step 26
Click Cancel to return to the previous menu and select ACS Service Management. Q11: What are the two ways a system administrator can be notified of logged events? _________________________________________________________________ _________________________________________________________________
Step 27 Step 28
Click Cancel to return to the previous menu. Examine the user interface configuration functions by selecting Interface Configuration in the left frame and selecting User Data Configuration. Q12: Why are user-defined fields useful? _________________________________________________________________ _________________________________________________________________
Step 29
Click Cancel to return to the previous menu, select Advanced Options, and select all options. Q13: What is the purpose of selecting advanced options? _________________________________________________________________ _________________________________________________________________
Step 30 Step 31
Select Submit and return to the previous menu. Select Administration Control in the left frame. Q14: What administrator accounts are configured by default? _________________________________________________________________ _________________________________________________________________ Q15: What is the purpose of the administrator control configuration section? _________________________________________________________________ _________________________________________________________________
Step 32
Examine the external user database functions by selecting External User Databases in the left frame.
Note If you cannot see the Administration Control button in the left frame due the limited window size, use the Tab key to scroll between the buttons.
Step 33
Select Unknown User Policy. Q16: Which two options are available if a user is not found in the ACS database? Which of the two options is the default? _________________________________________________________________ _________________________________________________________________ Q17: Which external databases can be checked for the unknown user? _________________________________________________________________
10
__________________________________________________________________
Step 34
Click Cancel to return to the previous menu, select Database Group Mappings, and view the help section. Click Cancel to return to the previous menu and select Database Configuration. Q18: What can you select in the External User Database Configuration section? __________________________________________________________________ __________________________________________________________________
Step 35
Step 36 Step 37
Click Cancel to return to the previous menu. Examine the reports and activity functions by selecting Reports and Activity in the left frame and selecting Administration Audit. Q19: What appears in the Administration Audit.csv file? __________________________________________________________________ __________________________________________________________________
Step 38 Step 39
Select Online Documentation in the left frame. (Optional) Take a moment to browse the new features, software requirements, and troubleshooting sections of the online documentation.
Select Network Configuration in the left frame. Click Add Entry in the Network Device Groups section, and configure a AAA client group named LAN Switches (leave all other fields blank). Click Submit to create the group. Click LAN Switches link and then Add Entry button to configure a AAA client using the following parameters:
Note
Step 42 Step 43
AAA Client Hostname: Switch-TAC+ Client IP address: 10.1.2.1 Shared Secret: vErYrAnDoM Authenticate Using: TACACS+ (Cisco IOS)
In real-life, use a very random string of at least 16 characters for the TACACS+ authentication and encryption key.
Note
Step 44
Click Submit.
Configuring Cisco Secure ACS and AAA 11
Step 45
Click Add Entry again to configure another AAA client using the following parameters:
Note
Note
Client IP address: 10.1.2.1 Shared Secret: vErYrAnDoM Authenticate Using: RADIUS (Cisco IOS/PIX 6.0)
Click Submit + Apply. Select Interface Configuration in the left frame. Select TACACS+ (Cisco IOS). In the TACACS+ Services section, select Shell (exec) in both the User and Group columns. Scroll down and in the Advanced Configuration Options section of the same window, select all four options. Click Submit.
Note By adding at least one TACACS+ client the TACACS+ interface configuration option becomes available. By adding at least one RADIUS client the RADIUS interface configuration options become available.
Step 50
Step 51
Create a new user group by clicking Group Setup in the left frame. Select Group 1 from the drop-down list. Rename the group to Administrators by clicking Rename Group, highlighting the existing name, typing in the new group name, and clicking Submit. Modify the password change policy for administrators by selecting Edit Settings and set the group settings as follows:
Step 55
In the Password Aging Rules section, configure the apply age-by-date rule for 30 days active, warning period of 4, and a grace period of 4. Leave all other sections at their default values. Click Submit + Restart.
Rename Group 2 to Engineering. Rename Group 3 to Sales. Add a user admin, member of group administrators, to the Cisco Secure ACS database by clicking User Setup in the left-frame.
2007, NIL Data Communications
12
Enter admin as the username. Enter admin as the password. Enter the password again to confirm it. Scroll to the Group selection drop-down menu and assign the user to the Administrators group. Scroll to the Account Disable section, select Disable account if, and select the Failed attempts exceed: 5 check box. Click Submit. Create another user using username alice with password alice. Make this user a member of the Engineering group. Create another user using username john with password john. Make this user a member of the Sales group.
Step 63
Step 64 Step 65
Step 66
Verification
Step 67
Click List All Users in the User Setup Select frame and verify that the users you just added are present and correctly configured. Q20: What is the main difference between the parameters in the user and group setups? __________________________________________________________________ __________________________________________________________________
Task 4: Configure the Switch to Authenticate Network Administrators against the Cisco Secure Database
In this task, you will configure the Switch in your lab to use the Cisco Secure ACS as the authentication server using the TACACS+ authentication proxy protocol.
Step 68 Step 69 Step 70
On the Switch, configure an enable secret ciscosecret. Enable the new model of AAA. Configure the location of the TACACS+ server using the following parameters:
Step 71
Configure an emergency local administrator account with the username localadmin and password localadmin.
Note You will be able to use this username to log in if the TACACS+ server is down or misconfigured.
Step 72
Configure a named AAA authentication method list for login authentication, using TACACS+ (group tacacs+, which represents all configured TACACS+ servers) as the first, and the local database as the fallback means of authentication.
Configuring Cisco Secure ACS and AAA 13
Step 73
Apply the configured named authentication method list to the console and all vty lines. For added security, create a default login method, which only uses the enable secret (or enable password, if the enable secret is not configured) to authenticate users. This will serve as a blanket authentication requirement, if you forget to apply a specific named login method to a line.
Step 74
Verification
Step 75
From the AAA Server, telnet to the switch (10.1.2.1) by clicking on the icon Telnet to Router and log in using username admin with password admin. You should successfully log in.
C:\> telnet 10.1.2.1 Username: admin Password: admin Printout 1: Login to the Switch
Step 76
Note
If you cannot login, recheck your work and debug the AAA process (debug aaa authentication) or the TACACS+ events (debug tacacs) to determine the reason of the failure. Also examine the Failed Attempts report under the Reports and Activity section of the Cisco Secure ACS user interface.
In Cisco Secure ACS, edit the Administrators group. In the Enable Options section, select Max Privilege for Any AAA Client and set it to level 15. This will allow these users to access the privileged mode, when the per-user enable secret is stored on the AAA server. Click Submit + Restart to enable the settings. Edit the user admin. Scroll to the Advanced TACACS+ Settings. In the TACACS+ Enable Control section select Use Group Level Setting and in the TACACS+
2007, NIL Data Communications
Step 78 Step 79
14
Enable Password section select the Use Separate Password check box. Enter a password of adminsecret.
Step 80 Step 81
Click Submit to enable the settings. On the Switch, configure a named AAA authentication method for enable authentication, using TACACS+ as the first, and the enable secret as the fallback means of authentication. The local enable secret will only be used if the TACACS+ server is unavailable.
Verification
Step 82
From the AAA Server, telnet to the switch (10.1.2.1) and log in using username admin with password admin. You should successfully log in.
C:\> telnet 10.1.2.1 Username: admin Password: admin Printout 3: Login to the Switch
Step 83
Enter the privilege mode using the password adminsecret. As this is your per-user enable password, the transition to the privilege mode should succeed.
SNRSSwitch> enable Password: adminsecret SNRSSwitch# Printout 4: Entering the privilege mode on the Switch
Note
If you cannot login or enter the enable mode, recheck your work and debug the AAA process (debug aaa authentication) or the TACACS+ events (debug tacacs) to determine the reason of the failure. Also examine the Failed Attempts report under the Reports and Activity section of the Cisco Secure ACS user interface.
Log into the Desktop by clicking its icon in the lab topology and authenticating using the credentials listed in the User Credentials Information section. Open Start > Network Connections, right-click on the LAB connection, select Properties, and then select the Authentication tab. Ensure that the Enable Network Access Control Using IEEE 802.1x check box is checked. Select MD5-Challenge as the EAP type. Uncheck the Authenticate as computer when computer information is available checkbox. Click OK.
Step 85
Step 86
Step 87 Step 88
Step 89
15
Step 90
Connect to the Switch; if necessary, log in as admin with password admin and enable password adminsecret. Configure a RADIUS host using the same IP address and key as for the TACACS+ host configuration (IP address 10.1.2.2, key vErYrAnDoM). Create a named 802.1x authentication method list, which uses the default RADIUS group. Configure the Switch for user RADIUS authorization for all network-related service requests.
Note To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.
Step 91
Step 92
Step 93
Step 94 Step 95
Enable IEEE 802.1x authentication globally. Determine the preconfigured VLANs by issuing the show vlan command. Your list of preconfigured VLANs should resemble the list in Table 1.
VLAN 10 20 30 40 50 60 Description Users VLAN used on ports connecting users before 802.1x Management VLAN hosting the Cisco Secure ACS Guest VLAN for users without the 802.1x supplicant or users failing to authenticate Engineering VLAN for users in the Engineering group Sales VLAN for users in the Sales group Unauthenticated VLAN for devices before 802.1x starts
Configure the FastEthernet 0/22 interface connecting to the Desktop for 802.1x authentication using the following characteristics:
Put the port into VLAN 60 (Unauthenticated VLAN) used for unauthenticated users Enable automatic 802.1x port authorization Enable periodic re-authentication Specify an active VLAN 30 (Guest VLAN) as an 802.1x guest VLAN (devices without an 802.1x supplicant) Specify an active VLAN 30 (Guest VLAN) also as an 802.1x failed VLAN (devices with an 802.1x supplicant but failing to authenticate) Specify a maximum of two allowed authentication attempts before a port moves to the Guest VLAN Set the timeout for supplicant reply to 3 seconds Set the timeout for supplicant retries to 3 seconds
Verification
Step 97
16
interface FastEthernet0/22 shutdown Configuration 1: Shutting down the FastEthernet 0/22 interface on the Switch Step 98
On the Desktop, right-click on the LAB connection in the Network Connections window and select Disable.
Note
Because of the architecture of the remote lab it is necessary to use this approach as there are multiple switches between the Switch and the Desktop. A disconnected LAB port on the Desktop is not detected by the Switch, and a shutdown FastEthernet 0/22 interface on the Switch is not detected by the Desktop. We must, therefore, shutdown the FastEthernet 0/22 interface on the Switch and disable the LAB port on the Desktop to simulate a physical PC being connected to the Switch by performing almost simultaneous re-enabling of the two ports.
Step 99
Step 100
Enable the FastEthernet 0/22 interface on the Switch (this starts the 802.1x authentication process) quickly followed by enabling of the LAB port on the Desktop (this starts a new DHCP request) to simulate the physical connection of the PC to the switch.
interface FastEthernet0/22 no shutdown Configuration 3: Enabling the FastEthernet 0/22 interface on the Switch
17
Note
Because there are multiple switches between the Desktop and the Switch it is not possible to test 802.1x authentication. We can, however, test the Guest VLAN functionality as the Desktop will appear to the Switch as a client without a supplicant.
SNRSSwitch(config-if)# 13:22:22: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:22: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/22 has changed to UP 13:22:22: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000 13:22:22: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000 13:22:22: dot1x-ev:Created a default authenticator instance on FastEthernet0/22 13:22:22: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/22 SNRSSwitch(config-if)#13:22:22: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/22 13:22:22: %LINK-3-UPDOWN: Interface FastEthernet0/22, changed state to up SNRSSwitch(config-if)# 13:22:23: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:23: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:23: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:26: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:26: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:26: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:29: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:29: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:29: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:32: dot1x-ev:Received an EAP Timeout on FastEthernet0/22 for mac 0000.0000.0000 13:22:32: dot1x-ev:dot1x_guest_vlan_authc_fail: Authentication failure due to non responsive client on FastEthernet0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_authc_fail: Activating guest VLAN 30 on port 13:22:32: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 30 on interface FastEthernet0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:32: dot1x-ev:vlan 30 vp is added on the interface FastEthernet0/22 13:22:32: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface FastEthernet0/22 13:22:32: dot1x-ev:Received successful Authz complete for 0000.0000.0000 13:22:32: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:32: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:32: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 13:22:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22, changed state to up SNRSSwitch(config-if)# Printout 5: 802.1x Debugging
18
Step 101
On the Desktop, open a command prompt and verify the assignment of the IP address from the DHCP pool for the Guest VLAN 30 (the IP address should be from the 10.1.3.0/24 network).
Note If no IP address has been assigned yet, use the ipconfig /renew command to request an address via DHCP again.
C:\WINDOWS>ipconfig Windows IP Configuration Ethernet adapter MGMT: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . Ethernet adapter LAB: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 10.1.3.6 : 255.255.255.0 : 10.1.3.1 DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 192.168.250.11 : 255.255.255.0 :
Printout 6: Desktop received IP address from DHCP pool for Guest VLAN
Note
It may take some time for the Desktop to acquire the address as the 802.1x authentication process tries to communicate with the Desktop before giving up and assigning the Desktop to the Guest VLAN.
Step 102
On the Switch, view the 802.1x status of the FastEthernet 0/22 interface.
SNRSSwitch#show dot1x interface FastEthernet 0/22 details Dot1x Info for FastEthernet0/22 ----------------------------------PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = SINGLE_HOST ReAuthentication = Enabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 3 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 3 RateLimitPeriod = 0 Auth-Fail-Vlan = 30 Auth-Fail-Max-attempts = 2 Guest-Vlan = 30 Dot1x Authenticator Client List Empty Port Status Authorized By Operational HostMode Vlan Policy = AUTHORIZED = Guest-Vlan = MULTI_HOST = 30